After the walled garden coming to the desktop operating system world, we're currently witnessing another potential nail in the coffin of the relatively open world of desktop and laptop computing. Microsoft has revealed [.pptx] that as part of its Windows 8 logo program, OEMs must implement UEFI secure boot. This could potentially complicate the installation of other operating systems, like Windows 7, XP, and Linux.

"Or when debian ran valgrind on openssl and shipped a broken version for years before it was detected, resulting in piles of compromised keys? The code was there for all to see. http://blogs.fsfe.org/tonnerre/archives/24

This was a bug, an error, a mistake. It was not malware. Malware is where someone deliberately tries to put malicious code into the system for their benefit at users expense.

I repeat, AFAIK, "the track record is that malware has never been distributed to users via open source repositories". "

How do you know if it's a mistake? As the competition link illustrates, a key point here is plausible deniability - when code is caught, it can be plausibly said to be a mistake rather than malicious. But we have no way to know when that's really true; only the person who put it there knows their intention. A backdoor is planted in both cases, and we're left guessing as to why, and who knew about it, and whether it was being actively exploited.

Put another way, if the Debian openssl maintainer was malicious, we can clearly see that no OSS safeguard would protect against large scale compromise of machines. Plausible code can be included and distributed without sufficient review to ensure that it's secure.